2

Machines on my company's network can access file shares on a Windows Server 2022 system using the FQDN, but they can't access them using a DNS alias. I reviewed How to configure a Windows machine to allow file sharing with a DNS alias and followed this step:

  • Edit the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters and add a value DisableStrictNameChecking of type DWORD set to 1.

After a system reboot, the machines still can't access the file shares using the DNS alias.

Any suggestions?

Improve this question
5
  • Does the alias got a valid DNS entry ?
    – yagmoth555
    Oct 11 at 3:12
  • Yes, I can ping the alias and use it to remote desktop to the server.
    – Russ
    Oct 11 at 4:42
  • What occurs when they attempt to access the share? Are there any dialogs with messages? Event viewer messages on the host or client?
    – Greg Askew
    Oct 11 at 9:48
  • After a system reboot, the machines still can't access the file shares using the DNS alias - Surely the client sees some kind of error message? What is it?
    – joeqwerty
    Oct 11 at 13:39
  • The permission on each share is open to Everyone. When I successfully access a share using the FQDN there is no prompt for credentials, but when I use the DNS name there is a prompt to "Enter network credentials" along with a string in red "Access is denied." When I enter credentials, the prompt disappears for a second, then reappears and again shows "Access is denied." I checked Application, Security, Setup, System event logs. Security logs show a new logon event as well as a log off event for my account that correspond with the time that I enter credentials to access a share.
    – Russ
    Oct 12 at 0:05

1 Answer 1

Reset to default
2

It is possible you are running into a Kerberos problem, because if you just set a DNS record, the computer object does not get updated with the required SPN (Service Principal Name). While you can add the SPN manually and it will work, there is another way. First, delete the DNS alias.

The old method of adding a DNS alias and setting the DisableStrictNameChecking registry value is not recommended anymore since it does not automatically manage SPNs. However, this new method is only supported on servers, the command will fail on clients.

When issuing the netdom computername /add: command, all service classes (even custom ones) present at this point in time will get duplicated for the additional hostname. This is a one-time action. If at any point in the future, an SPN gets added automatically (i.e. by enabling RDP access for the first time, which adds the TERMSRV service class), that will only add the SPN for the primary hostname, the SPNs for the additional hostnames must be added manually. So the recommendation is to fully install a server with all roles first before adding any additional hostnames.

  1. Logon to the server for which you want to add the additional hostname, open administrative Powershell (as domain admin, or someone who can write the attributes servicePrincipalName and msDS-AdditionalDnsHostName)

  2. Add the additional hostname

    netdom computername SERVER /add:server.domain.com

  3. Refresh DNS

    ipconfig /registerdns

If the command fails with an error, i.e. the alias is already present somewhere in AD… The system cannot open the device or file specified …(only) the /enum command will still list the additional hostname, probably because it gets written to registry immediately. So make sure to cleanup the entry with /remove first before you try again

Note: This method causes the server to automatically register this additional hostname (called OptionalNames in the registry) in DNS as a second A Record (not CNAME).

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .